Secure active networks

ABSTRACT

A secure active network includes a plurality of secure elements which communicate with one another to share and log information such as identification, location, and user activity associated with each secure element. Secure elements exchange data with one another, and log data received. The periodicity of communication between secure elements, encryption of the information, and the operating frequency in which the information is transmitted and received may be changed if communication is lost between any of the secure elements or if a determination is made that a secure element has traveled outside a predetermined zone. The integrity of the secure network may be verified at any time by comparing the logged information to a reference network.

FIELD OF DISCLOSURE

The present disclosure relates generally to networks and specifically toactive network security.

BACKGROUND

Active network systems are often implemented to enable networkedelements which are part of the active network to respond to perceivedsecurity threats.

While the networked elements may communicate with one another todetermine rudimentary information such as general operating status, thedevices coupled to the networked elements, such as consumer goods, forexample, may be the target of theft, replacement by a forgery, and/orunauthorized use. Such malicious acts may go unnoticed in a standardnetworked system, since the network is not capable of determining thedifference between a missing or unauthorized device and a device whichis powered off or temporarily disconnected from the network.

Furthermore, networked devices may be left for long periods of time inan unsecure environment, such as in a warehouse or a shipping container.Because of this, these devices are susceptible to theft whereby thephysical outer packaging of the device is left intact. At a glance, thepackaging of the device may appear to be secure, but the packaging couldin actuality be empty or the original device replaced with a counterfeitdevice. In such a situation, long periods of time may elapse whereby theintegrity of the original devices is unknown. Due to the fact that thedevices are not actively monitored, the owner or manufacturer of thedevices may not realize that the devices have been stolen, replaced, orremoved from the network, until long after the devices have already beenremoved.

What is needed, therefore, is a network architecture which may verifythe integrity of the networked devices by monitoring a log ofcommunication between the devices, dynamically changing the propertiesof the network if network integrity is compromised, and alerting theother devices and/or the owner of the devices to a loss of integrity ofany device.

BRIEF DESCRIPTION OF THE DRAWINGS/FIGURES

FIG. 1 illustrates a block diagram of a secure active network accordingto an exemplary embodiment of the disclosure;

FIG. 2 illustrates a secure element according to an exemplary embodimentof the disclosure;

FIG. 3 illustrates an example of a data log stored by a secure networkelement according to an exemplary embodiment of the disclosure;

FIG. 4 is a flowchart illustrating a secure element data loggingoperation according to an exemplary embodiment of the disclosure;

FIG. 5A illustrates a network verification system according to anexemplary embodiment of the disclosure;

FIG. 5B illustrates a network verification system secure element datalog analysis according to an exemplary embodiment of the disclosure;

FIG. 6 is a flowchart illustrating a network verification systemprocedure according to an exemplary embodiment of the disclosure;

FIG. 7 is a flowchart illustrating a dynamic network operation accordingto an exemplary embodiment of the disclosure; and

FIG. 8 illustrates a multi-user secure active network system inaccordance with an embodiment of the disclosure.

The disclosure will now be described with reference to the accompanyingdrawings. In the drawings, like reference numbers generally indicateidentical, functionally similar, and/or structurally similar elements.The drawing in which an element first appears is indicated by theleftmost digit(s) in the reference number.

DETAILED DESCRIPTION OF THE DISCLOSURE

The following Detailed Description refers to accompanying drawings toillustrate exemplary embodiments consistent with the disclosure.References in the Detailed Description to “one exemplary embodiment,”“an exemplary embodiment,” “an example exemplary embodiment,” etc.,indicate that the exemplary embodiment described may include aparticular feature, structure, or characteristic, but every exemplaryembodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same exemplary embodiment. Further, when a particularfeature, structure, or characteristic is described in connection with anexemplary embodiment, it is within the knowledge of those skilled in therelevant art(s) to affect such feature, structure, or characteristic inconnection with other exemplary embodiments whether or not explicitlydescribed.

FIG. 1 illustrates a block diagram of a secure active network accordingto an exemplary embodiment of the disclosure. Secure active network 100includes secure elements 102, 104, 106, 108, and 110, reader 112, andnetwork verification system 114. As would be appreciated by a personhaving ordinary skill in the art, secure active network 100 may includeany number of secure elements.

In embodiments, a secure element is configured to be attached to an itemor a device. For example, a secure element may be coupled to a devicesuch as a computer or may be coupled to a pallet containing multipleitems or devices. In addition, or alternatively, a secure element may beintegrated into a device.

Secure elements 102, 104, 106, 108, and 110 communicate with one or moreother secure elements via communication links, such as communicationlinks 101.1 through 101.i. For example, secure element 104 communicateswith secure elements 102 and 106, whereas secure element 110 onlycommunicates with secure element 108. In this manner, an ad hoc or meshnetwork is created. In a wireless embodiment, the location of secureelements may vary over time. In these embodiments, a secure element maycommunicate with additional or different secure elements during the timeperiod. Communication links 101.1 through 101.i. may be wired orwireless connections. Although secure elements 102, 104, 106, 108, and110 are illustrated in FIG. 1 as communicating directly with one anotheras indicated by the two-way arrows, secure elements 102, 104, 106, 108,and 110 may also communicate with one another indirectly, utilizing anetwork hub, for example (not shown). A network hub may facilitatecommunication between secure elements 102, 104, 106, 108, and 110 and/orprovide a common point of connection such that the secure elements 102,104, 106, 108, and 110 need not be in wireless communications range ofone another to communicate.

In an embodiment of the present disclosure, a secure elementparticipates in communications sessions with one or more other secureelements according to a communications schedule. The schedule may setforth the timing of communication. For example, communications sessionsmay be separated by intervals of no communications. A secure element mayencrypt some or a portion of the data prior to transmission to acommunication partner.

A secure element stores identification information which uniquelyidentifies the secure element within the network. In an embodiments, theserial number of a device or item coupled to the secure element 102 isused as the identification information. In these embodiments, the serialnumber may be represented as a bitstring which is masked within apredetermined length of randomly generated data. In this way, if someonereceives, or “snoops” data communicated and exchanged between secureelements, the serial number may not be easily discerned withoutknowledge of the predetermined lengths. For example, Equation (1) belowprovides a representation of a bitstring that may be communicated andlogged between two secure elements:[Random(x)][Serial Number(m)][Customer Data(y)][Random(z)]  (1)

Equation (1) provides four data fields, the variables x, m, y, and zbeing indicative of bit lengths of each respective data field. Theserial number may be a fixed length less than m, with the leastsignificant or most significant remaining portion of the serial numberdata field being padded with ones or zeroes to fill the remaining bitsof the overall bit length m. Similarly, the customer data field may beany bit length y, which may include manufacturer information such as afactory manufacturing code or country code, for example, or any otherinformation, with the remaining bit length padded accordingly. Therandom data fields are of length x and z, which may be the same ordifferent lengths, and are filled with randomly generated bits at eachof the secure elements 102, 104, 106, 108 and 100 during production, forexample.

Using equation (1) to communicate and log data within secure elements102 and 104 provides added security within secure active network 100. Ifan unauthorized user obtains the bitstring represented by Equation (1),the serial number may not be easily deciphered without knowledge of themask which includes the appropriate lengths x, m, y, and z.

Secure elements 102, 104, 106, 108, and 110 are configured to transmitdata to other secure elements. The data includes, for example, theidentifier of the secure element and a set of communication and/orlocation information. The location information can include datarepresentative of a physical location of the secure element. The secureelement stores all or a portion of the data received from itscommunication partners in one or more logs. The data log may alsocontain a timestamp indicating when the communications occurred andwhether the communications between the secure element and itscommunication partner was successful.

The data log comprises data received from each communication partner ofthe secure element for every scheduled communications session.Additionally, the data log may include some or a portion of the datatransmitted to each communication partner. During communicationsessions, a secure element may also store location data representativeof a physical location of the secure element and/or location datareceived from its communication partners. All or a portion of the datalog may be stored in encrypted form. Secure element logs are describedin further detail below.

Reader 112 is configured to communicate with secure elements 102, 104,106, 108, and 110 via communication links 103.1 through 103.n, and tocommunicate with network verification system 114 via communication link105. Reader 112 may be configured to communicate with secure elementsusing unencrypted or encrypted communications. Communication links 103.1through 103.n and communication link 105 may be wired or wirelessconnections. Reader 112 may be a near field communication device (e.g.,an RFID reader) or may communicate via wireless or wired protocols.Reader 112 is configured to transmit data, such as instructions,controls, and/or commands, for example, to the secure elements. Reader112 is configured to receive data from secure elements 102, 104, 106,108, and 110, including the logged data, and transmit this data tonetwork verification system 114. In embodiments, reader 112 is optional.In these embodiments, the functionality to communicate with secureelements is incorporated within network verification system 114.

Network verification system 114 is configured to communicate with reader112 to process the data received from the secure elements. In anembodiment of the present disclosure, network verification system 114receives logged data from secure elements 102, 104, 106, 108, and 110.Network verification system 114 then processes the logged data toreconstruct secure active network 100 over a period of time by analyzingthe history of communications sessions associated with each of thesecure elements 102, 104, 106, 108, and 110.

Network verification system 114 is configured to store one or morereference secure network profiles. A reference secure network profilemay include information specifying the configuration of the securenetwork over a period of time. For example, reference secure networkprofile may specify the secure element communications map for thenetwork including the communications pairs within the network. Thereference secure network profile may also the communications schedulefor each secure profile as well as an expected location profile for eachsecure element over a period of time. By comparing the reconstructednetwork to the reference secure network profile, network verificationsystem 114 may determine whether any of the secure elements have beencompromised.

FIG. 2 illustrates an exemplary secure element 200 of FIG. 1, accordingto an exemplary embodiment of the disclosure. Secure element 200includes processor 202, verification module 212, secure elementcommunications module 204, secure element communications interface 210,and memory 206. Secure element 200 may be implemented as part of a CPU,chipset, integrated circuit (IC), application specific integratedcircuit (ASIC), or as a standalone component.

Processor 202 is coupled to secure element communications module 204 andmemory 206 via communications links 203 and 205, respectively.Communications links 203 and 205 may be communication buses. Processor202 is configured to control other components of the secure elementincluding secure element communications module 204 and memory 206.Processor 202 may be implemented using hardware, software, and/or logicconfigured to communicate and control components of the secure element.

In an embodiment of the present disclosure, processor 202 determines anetwork communications map for the secure element. For example,processor 202 determines what secure elements are within communicationsrange of the secure element. Processor 202 stores a list of other secureelements within communications range of secure element 200 in memory206. The list may include an identification number associated with eachsecure element. Thereafter, processor 202 instructs secure elementcommunications module 204 to initiate communications with the identifiedsecure elements according to a communications schedule.

Secure element 200 may include a location tracking module 208. Becauselocation data may propagate throughout all secure elements of a secureactive network, each secure element in the network may not require alocation tracking module 208. Location tracking module 208 is configuredto determine the physical location of secure element 200. The locationtracking module may be implemented as a Global Navigation SatelliteSignal (GNSS) receiver, for example. In embodiments of the presentdisclosure where secure element communications module 204 is configuredto support cellular protocols, location tracking module 208 maycommunicate with secure element communications module 204 to utilizeassisted GNSS techniques.

Processor 202 may further include verification module 212. Verificationmodule 212, when present, is configured to identify anomalies indicativeof a compromise of one or more elements of the ad hoc network. As willbe appreciated by those having ordinary skill in the art, verificationmodule 212 may be implemented as software executing within processor202, or as a standalone processor coupled to processor 202. Verificationmodule 212 analyzes location data and/or logged data to determinewhether one or more of its communications partners has been compromised.If a secure element has been compromised, verification module 212 causesthe secure element to transmit a data flag to its communicationpartners.

In accordance with this embodiment, verification module 212 mayprioritize identified detected condition. For example, verificationmodule 212 may set a low priority flag if the logged data indicates thatcommunications has been lost between a secure element and one or more ofits communication partners for a number of communications sessions.Verification module 212 may set a higher priority flag if the locationdata received from location tracking module 208 indicates that a secureelement has been removed from an allowed zone.

Verification module 212 may correlate a stored communications profile toa data flag. Upon receipt of a data flag, secure element 200 retrieves acommunications profile associated with the data flag and makes necessarymodifications. For example, the data flag may cause the secure elementsto move to encrypted communications, change the frequency ofcommunications, and/or may change the communications schedule.

If a data flag is generated at the secure element 200 or received fromone of its communications partners, secure element 200 then transmitsthe data flag to all of its communication partners. In this way, thedata flag propagates through the entire secure active network. Each ofsecure elements 102, 104, 106, 108, and 110 may be configured to executethe same communication profile according to receipt of the same dataflags. Therefore, if any of the secure elements determine that anothersecure element has been compromised, the entire secure active networkdynamically synchronizes to utilize the same communications profile.

Memory 206 is configured to store the data log for the secure element.Memory 206 may be implemented as any number of volatile and/ornon-volatile modules or partitions. Although memory 206 is illustratedin FIG. 2 separate from processor 202, those skilled in the art willappreciate that the memory 206 may be integrated with processor 202.

In embodiments of the present disclosure, data stored in memory 206 isencrypted using an encryption key. The same encryption key may beutilized by all secure elements within secure active network 100 duringa scheduled communications session. Any number of encryption keys may bewritten to a non-volatile portion of memory during production, forexample.

Memory 206 may be partitioned into secured and unsecured addresspartitions. The unsecured address partitions may include identificationinformation associated with secure element 200, data log for the secureelement, network profile information such as data flags, location data,and/or any data used by verification module 212, such as allowedoperation zone data. The secured partition of the memory 206 may includeone or more encryption keys and processor 202 may embed an index oraddress indicative of which encryption key is used for a particularcommunications session within the data sent to other secure elements.The secured partition of memory 206 may be accessible by secureprocessor 214 (when present) and/or processor 202.

The secure element may further include a secure processor 214. Secureprocessor 214 is configured to perform cryptographic operations requiredby secure element 200. As discussed above, data exchanged between secureelements and/or between secure element 200 and reader 112 may beencrypted. Secure processor 214 is configured to encrypt and decryptdata transmitted and received from secure element 200. Secure processor214 may change security parameters (e.g., encryption key) according toinstructions received from processor 202.

Secure element communications module 204 is coupled to secure elementcommunications interface 210 via communications link 201. Communicationslink 201 may be a communications bus. Secure element communicationsmodule 204 may be implemented with any number of amplifiers,oscillators, drivers, modulators, and/or demodulators, for example, tosend and/or receive data to and from another secure element, such assecure element 104. Secure element communications module 204 maymodulate and send data provided by processor 202 to another secureelement, such as secure element 104. Secure element communicationsmodule 204 may receive and demodulate data sent from another secureelement, such as secure element 104, to processor 202. Secure elementcommunications module 204 communicates with other secure elementsaccording to a communications protocol.

Secure element communications interface 210 provides a physical layerfor secure element to element communication. Secure elementcommunications interface 210 may be implemented with any number ofantennas, couplers, and/or wired connectors, for example. Secure elementcommunications interface 210 may be configured to enable both near-fieldand far-field communications for secure element communications module204.

In an embodiment, secure element 200 may further include a readercommunications module 216 and a reader communications interface 218. Thesecure element may communicate with a reader, such as reader 112, via adifferent method than with other secure elements. For example, if reader112 is an RFID reader, reader communications module 216 and interface218 will include hardware, software, and/or logic necessary tocommunicate with reader 112 via an RFID protocol.

FIG. 3 illustrates an example of a data log stored by a secure networkelement according to an exemplary embodiment of the disclosure. Eachentry in the data log 300 includes a timestamp field 302, data field304, and an optional location field 306.

Upon activation, secure element determines what other secure elementsare within communications range of the secure element (referred to ascommunications partners). Secure element then logs data received fromeach of its communications partners. For example, as illustrated in FIG.3, secure element 106 is in communication with 102, 104 and 108.Although FIG. 3 illustrates each collection of data grouped byindividual secure element, data log 300 would ordinarily containidentification information from each of secure elements 104, 104, and108 to properly identify each group of data entries. In this way, reader112 may properly parse the groups of data according to each secureelement.

Data log 300 includes timestamp field 302 which identifies times ofcommunications (attempted or successful) with its communicationspartners. As illustrated in FIG. 3, the first communications session foreach of secure elements 102, 104, and 108 started at 13:03, andcommunication was attempted with each of the secure elements 102, 104,and 108 every 10 minutes thereafter.

Data field 304 contains data received from corresponding secure elements102, 104, and 108. Data field 304 may include communication sessioninformation and/or data flags. If communications with any of itscommunications partner is not successful, data field 304 may includedata indicative of the failed communications or may be empty. Asillustrated in the example data log 300 shown in FIG. 3, secure element106 was unable to communicate with secure element 104 at 13:13, butresumed communications at 13:23. Also in accordance with the exampledata log 300 shown in FIG. 3, secure element 106 communicated withsecure element 108 once at 13:03, but then lost communicationsthereafter.

Location field 306 contains location data received from a communicationspartner. Depending on whether each of secure elements 102, 104, and 108are configured with location tracking module 208, location field 306 mayor may not include location data. As illustrated in the example data log300 shown in FIG. 3, secure element 108 is not configured with locationtracking module 208, and therefore no location data is received fromsecure element 108.

FIG. 4 is a flowchart 400 of a method for data logging at a secureelement according to an exemplary embodiment of the disclosure. FIG. 4is described with continued reference to the embodiments depicted inFIGS. 1-3. However, flowchart 400 is not limited to those embodiments.

In step 402, the secure element determines what other secure elementsare within communications range of the secure element. For example,secure element 106 determines that secure elements 102, 104, and 108 arewithin communications range of secure element 106.

In step 404, the secure element performs a communications session witheach of secure elements 102, 104, and 108, and logs data received, indata log 300. Referring back to FIG. 3, a communications session betweensecure element 106 and secure element 108 occurred at time 13:03.

In step 406, the secure element 106 waits to receive a communicationscommand from processor 202 in accordance with a communications schedule.As illustrated in the example data log 300, processor 202 commandssecure element communications module 204 to communicate with secureelements 102, 104, and 108 every to minutes. If no command is received,processing remains at step 406. If a command is received, processingreturns to step 404 where secure element 106 communicates with secureelements 102, 104, and 108 to exchange and log data, Referring back toFIG. 3, secure element 106 logs data at time entry 13:13 after receivinga command from processor 202. Once the log entry at 13:13 is written tomemory 206, control flow proceeds back to step 404 to await the nextcommunications command from processor 202 corresponding to the nextcommunications session.

FIG. 5A illustrates an exemplary network verification system of FIG. 1,according to an exemplary embodiment of the disclosure. Networkverification system 500 includes processor 504 and database 506.

In accordance with an embodiment of the present disclosure, networkverification system 500 receives data from a reader such as reader 112and stores the received data in database 506. The data received fromreader 112 includes data logs from each of secure elements in the securenetwork. Database 506 may further store one or more reference networksignatures. A reference net work signature includes the expected networkconfiguration of the secure elements over a period of time. Thus, areference network signature may include one or more snapshots of theexpected network configuration at points in time. The reference networksignature for a secure network may be programmed using a prioriknowledge of secure elements which should comprise secure active network100 and the allowed geographic operation zones for one or more of thesecure elements.

The secure element may be part of a stationary network (the secureelements do not move). However, in embodiments of the disclosure, secureelement may be movable (such as during shipment). When secure elementsare movable (and expected to be shipped), the reference network mayspecify different location ranges at different communication sessiontimes indicating a route of travel for the secure element.

Processor 504 is configured to identify whether one or more secureelements were tampered with over a predefined period of time. Processor504 may identify conditions indicative of tampering at the network leveland/or the individual secure element level. When analyzing at thenetwork level, processor 504 is configured to reconstruct the actualnetwork configuration of the secure network at various point in timeusing the received data logs. The actual (reconstructed) networkconfiguration includes an identification of the secure elements in thenetwork and the communications pairs within the network. Reconstructednetwork A depicted in FIG. 5A is a graphical representation of theconfiguration of network A at time t0. Processor 504 is then configuredto compare the expected network configuration to the reconstructednetwork configuration to identify any deviations.

When analyzing at the secure element level, processor 504 is configuredto compare the actual data logs from a secure element or group of secureelements to the expected logs for the secure element or group of secureelements. During the comparison, processor 504 may interpret the resultsto determine whether difference indicates a compromised secure elementor simply a secure element experiencing communications errors.

Processor 504 may prioritize the difference/deviation identified. Inaccordance with an exemplary embodiment of the disclosure, processor 504may assign a lower priority to identified difference if it is morelikely than not that the difference is a communications error and not asecurity breach. Similarly, processor 504 may assign a higher priorityif the location data indicates that one or more secure elements wereremoved from the allowed location zone for a period of time.

In accordance with an embodiment of the present disclosure, processor504 may take different steps depending on the priority level of thecompromise. Processor 504 may issue an alarm command if a level onepriority compromise has been detected, and issue a warning and/ornotification command if a level two priority compromise has beendetected.

FIG. 5B illustrates an exemplary reference network signature 580 andreconstructed (actual) network signature 590, according to an exemplaryembodiment of the disclosure. In this example, network A is expected toinclude four secure elements with the following network configuration:

-   -   102        104    -   102        106    -   104        106    -   106        108        The reference network signature includes the complete data logs        for each of the four secure elements.

Reference network A includes parameters such as communications sessiontiming, which is shown as occurring every 10 minute intervals after aninitial communication time t0. In the secure network, only secureelement 104 includes a location tracking module. Reference network Aincludes an indication of allowed locations for secure element 104 ateach logged time interval. In this example, the location profile data isa range of zones.

Reconstructed network A provides the actual network configuration of thesecure network over a period of time. The reconstructed network mayinclude logs for each of the same elements. At a network level,reconstructed log indicates that the secure network included fourelements and four separate communication pairs. The reconstructednetwork also shows communications at three different times. Thereconstructed network signature is therefore consistent with theexpected network signature.

When viewed at the secure element level, several deviations from theexpected behavior of the secure elements are evident. For the data logcorresponding to secure element 106, reconstructed network A indicatesthat, at 13:13, secure element 106 was unable to communicate with secureelement 102. Secure element log 106 also indicates that the locationdata received from secure element 104 at 13:23 is outside the allowedlocation range for secure element 104. For the data log corresponding tosecure element 102, reconstructed network A indicates that the secureelement failed to communicate with secure element 106 at all threecommunications times. The data log of secure element 102 also indicatesan out-of-range condition for secure element 104 at 13:23. For the datalog corresponding to secure element 104, reconstructed network Aindicates that secure element 104 was not in communication with secureelement 102 at 13:13. The logs for both secure element 106 and 104indicate failed communication with secure element 102 at the same time.

FIG. 6 is a flowchart 600 of a method for network verification accordingto an exemplary embodiment of the disclosure. FIG. 6 is described withcontinued reference to the embodiments depicted in FIGS. 1-3 and 5A.However, flowchart 600 is not limited to those embodiments.

In step 602, network verification system receives logged data for eachof the secure elements in the secure network. In an embodiment, networkverification system receives the logged data from a reader, such asreader 112. In an alternate embodiment, network verification systemreceives the logged data from the secure elements.

In step 604, the processor of the network verification system accessesdatabase 506 to retrieve a reference network signature for each of thesecure elements. Processor 504 determines the expected communicationpartners, associated network parameters and an expected location profilefor each of the secure elements, using the reference network signature.

In step 605, the processor of the network verification system analyzesthe logged data to generate a reconstructed network. The reconstructednetwork includes a recreation of the network using the data provided inthe data log which indicates the history of communications, locations,and/or any communication errors between each of the secure elements andits communications partners.

In step 606, the processor of the network verification system comparesthe reconstructed network to the reference network. The processorcompares the received data logs for each secure element to the expectedlogs which are provided by the reference network corresponding to eachsecure element. The processor determines any anomalous secure elementsby verifying communications between each secure element and itscommunication partners according to each reference network. Theprocessor further determines any anomalous secure elements by comparingthe location profile data in each of the reference networks to thelocation data included in the received data logs.

In step 608, the processor of the network verification system determinesthat the reconstructed network is not equivalent to the referencenetwork. For example, the processor may determine from the logged data,that communication was lost between a secure element and more than oneof its communication partners. The processor may determine thatcommunication errors between from a single secure element exceeds athreshold number of errors as provided in that corresponding secureelements reference network signature. To provide another example, theprocessor may determine that location data from a secure element datalog deviates from the location data range and/or location data profilecorresponding to that corresponding secure elements reference networksignature. The processor identifies and prioritizes any anomalous secureelements based on the type of anomaly.

In step 610, the processor of the network verification system determinesthat reconstructed network 512 is equivalent to reference network 510.The processor may determine no anomalies in any of the secure elements,or that the received data logs comply with any communication errorthresholds and location ranges as indicated in the reference networks

In step 612, the processor issues a notification and/or alarm commandindicating an anomalous status for each secure element according to thepriority level determined in step 608.

FIG. 7 is a flowchart 700 of a method for dynamic network operationaccording to an exemplary embodiment of the disclosure. FIG. 7 isdescribed with continued reference to the embodiments depicted in FIGS.1-3 and 5. However, flowchart 700 is not limited to those embodiments.

In step 702, each secure element determines its communication partnersthat are within communications range. Thereafter, processor 202instructs secure element communications module 204 to initiatecommunications with the identified secure elements according to acommunications schedule.

In step 704, each secure element communicates with one or more of itscommunications partners to exchange and log data, according to theinitial schedule and protocol established in step 702. Each secureelement monitors data flags received from its communication partnerswhich may be indicative of anomalies detected by other secure elements.

In step 706, verification module 212 of the secure element determineswhether a data flag has been received. If a data flag has not beenreceived, control flow passes back to step 704, and the secure elementcontinues to monitor data received from its communication partners fordata flags. If verification module 212 determines that a data flag hasbeen received, then verification module 212 retrieves the correspondingcommunication profile settings from memory 206 corresponding to theparticular data flag.

In step 708, the verification module commands appropriate componentswithin its corresponding secure element to communicate with itscommunications partners and/or a reader according to the communicationsprofile settings. The components controlled by verification module 212depends on the type of anomaly. For example, if a data flag isindicative of a location-based of anomaly, then verification module 212may instruct secure processor 214 to strengthen encryption and/or changean encryption key. To provide another example, if a data flag isindicative of a communications-based triggering event, thenverifications module 212 may instruct secure element communicationsmodule 204 and/or reader communications module 216 to changecommunications protocols. In this way, the communications protocolsbetween each secure element and its communication partners and/or areader may be tailored to the type of anomaly.

FIG. 8 illustrates a multi-user secure active network system inaccordance with an embodiment of the disclosure. Remote secure activenetwork 800 includes smartphones 804 and 808, personal computer (PC)802, laptop 806, server 810, and network verification system 812. Eachof smartphones 804 and 808, the PC 802, and laptop 806 may includephysical, virtual, and/or logical secure elements.

In embodiments of the present disclosure, smartphones 804 and 808, PC802, and laptop 806 may each include a secure element, such as secureelement 102, integrated as a part of each respective device. In fartherembodiments of the present disclosure, the secure elements are softwareelements, integrated within the operating system of each respectivedevice, installed as an application (“app”), which are run from eachrespective device. In yet another embodiment of the present disclosure,the secure elements are logical secure elements running within a trustedexecution environment (TEE) on each respective device. Smartphones 804and 808, PC 802, and laptop 806 may include any number and/orcombinations of physical, virtual, and/or logical secure elements.

Smartphones 804 and 808, PC 802, and laptop 806 each connect to theinternet 811 through communication links 803, 807, 801, and 805,respectively. Communication links 801, 803, 805, and 807 may be anycombination of wired and/or wireless connections, such as cellular,Wi-Fi, and/or land line connections, for example. Server 810 isconnected to the internet 811 via communication link 809. Smartphones804 and 808, PC 802, and laptop 806 communicate with one another throughthe internet 811 by utilizing a website, program, or application runningfrom the server 809. Smartphones 804 and 808, PC 802, and laptop 806form a network based on their common connection to the server 810 andcommunicate and exchange data with one another. For example, smartphones804 and 808, PC 802, and laptop 806 communicate with one another usingan instant messaging (IM) service and/or a social networkingapplication.

Smartphones 804 and 808, PC 802, and the laptop 806 communicate and senddata to server 810 according to a predetermined schedule. The data mayinclude unique identification data, such as internet protocol (IP)addresses, serial numbers, and/or location data representative of thephysical location of each respective device. The secure element withineach of smartphones 804 and 808, PC 802, and laptop 806 sends the datato the all of the devices connected to remote secure active network 800.

In an embodiment of the present disclosure, each of smartphones 804 and808, PC 802, and laptop 806 sends the data to server 810 in continuousintervals, and the secure element within each of smartphones 804 and808, PC 802, and laptop 806 communicates with server 810 to access thedata. In this way, smartphones 804 and 808, PC 802, and laptop 806 donot need to maintain a log of data transmitted by every other device, asserver 810 performs this functionality. The secure element within eachof smartphones 804 and 808, PC 802, and laptop 806 each sends the datato server 810 periodically and/or whenever one of smartphones 804 and808, PC 802, and laptop 806 is in use.

Server 810 is configured to run network verification system 812, whichmay be implemented as a program, for example, that monitors the datasent by smartphones 804 and 808, the PC 802, and laptop 806. Server 810logs the data as logged network 816, and compares logged network 816 toa reference network 814. Reference network 814 is a network whichincludes all members of the network which are expected to be in activecommunication with sever 810. Network verification system 812 determineswhether smartphones 804 and 808, PC 802, and laptop 806 are activelycommunicating with server 810 at any time by comparing logged network816 to reference network 814.

In embodiments of the present disclosure, server 810 is configured tosend notifications to smartphones 804 and 808, PC 802, and laptop 806when a determination has been made that any of smartphones 804 and 808,PC 802, and laptop 806 are no longer active on remote secure activenetwork 800. The notification may include the last logged location datafor the device that is no longer in communication with server 810, aswell as a warning that a particular user has been out of communicationwith server 810.

In further embodiments of the present disclosure, network verificationsystem 812 is configured to make a determination that a user is nolonger active on remote secure active network system 800 if data is notreceived from smartphones 804 and 808, PC 802, and laptop 806 within athreshold time set by a communications schedule. For example, each ofsecure elements within smartphones 804 and 808, PC 802, and laptop 806may be configured to send data to server 810 every 10 minutes. Ifnetwork verification system 812 determines after this threshold time isexceeded that smartphone 804 has not sent data to server 810, thenlogged network 816 indicates that smartphone 804 is no longer active onthe network, and notifications are sent to smartphone 808, PC 802, andlaptop 806 accordingly.

Network verification system 812 may be configured to make adetermination that a user is no longer active on remote secure activenetwork system 800 if too much time expires after the most recentlylogged activity. For example, the secure elements within smartphones 804and 808, PC 802, and laptop 806 may continuously send data to server 810when each respective device is being used. For example, PC 802 may senddata to server 810 when a keyboard connected to PC 802 is being used fortyping, and otherwise not send the data. A threshold time may be set to12 hours, for example, such that no activity for 12 hours afterpreviously using the keyboard would notify smartphones 804 and 808, PC802, and laptop 806 that PC 802 is no longer in communication withserver 810.

Network verification system 812 may log user activity of each ofsmartphones 804 and 808, PC 802, and laptop 806 and build a userprofile. The user profile for smartphones 804 and 808, PC 802, andlaptop 806 reflects user activity for each respective device accordingto the time of day and/or day of the week, for example. By comparing thedata sent to server 810 with the user profile for each respectivedevice, network verification system 812 may send a notification to thedevices connected to server 810 if the corresponding user does notoperate the respective device before a time correlated with the useractivity profile expires.

For example, the user profile for a user of smartphone 804 couldindicate that the smartphone 804 is used every Wednesday night from 6p.m. to 7 p.m. Regardless of any communications schedule, networkverification system 812 may determine that the user is no longer incommunication with server 810 if this time period elapses without anydata sent by smartphone 804, and notify smartphone 808, laptop 806, andPC 802 accordingly.

Although the description of the present disclosure is described in termsof physical devices attached to an active secure network, those skilledin the relevant art(s) will recognize that the present disclosure may beapplicable to other devices that are capable of being identified,monitored, and/or tracked using any unique identification withoutdeparting from the spirit and scope of the present disclosure. Forexample, although the present disclosure is described using physicaldevices connected to the secure active network, those skilled in therelevant art(s) will recognize that virtual devices or databases may bea part of the secure active network without departing from the spiritand scope of the present disclosure.

The disclosure has been described above with the aid of functionalbuilding blocks illustrating the implementation of specified functionsand relationships thereof. The boundaries of these functional buildingblocks have been arbitrarily defined herein for the convenience of thedescription. Alternate boundaries may be defined so long as thespecified functions and relationships thereof are appropriatelyperformed.

It will be apparent to those skilled in the relevant art(s) that variouschanges in form and detail may be made therein without departing fromthe spirit and scope of the disclosure. Thus the disclosure should notbe limited by any of the above-described exemplary embodiments, butshould be defined only in accordance with the following claims and theirequivalents.

Embodiments of the invention may be implemented in hardware, firmware,software, or any combination thereof. Embodiments of the disclosure mayalso be implemented as instructions stored on a machine-readable medium,which may be read and executed by one or more processors. Amachine-readable medium may include any mechanism for storing ortransmitting information in a form readable by a machine (e.g., acomputing device). For example, a machine-readable medium may includenon-transitory machine-readable mediums such as read only memory (ROM);random access memory (RAM); magnetic disk storage media; optical storagemedia; flash memory devices; and others. As another example, themachine-readable medium may include transitory machine-readable mediumsuch as electrical, optical, acoustical, or other forms of propagatedsignals (e.g., carrier waves, infrared signals, digital signals, etc.).Further, firmware, software, routines, instructions may be describedherein as performing certain actions. However, it should be appreciatedthat such descriptions are merely for convenience and that such actionsin fact result from computing devices, processors, controllers, or otherdevices executing the firmware, software, routines, instructions, etc.

What is claimed is:
 1. A secure network element, comprising: acommunications module configured to receive location data, indicating alocation of a second secure network element, according to a firstcommunications protocol at scheduled communication sessions; and aprocessor configured to: compare the location data to a referencelocation data range at the scheduled communication sessions, change anencryption in response to determining that the location data deviatesfrom the reference location data range, and change the firstcommunications protocol to a second communications protocol in responseto determining that communications have been lost between the securenetwork element and the second secure network element.
 2. The securenetwork element of claim 1, wherein the communications module is furtherconfigured to attempt to exchange data with the second secure networkelement, the data being indicative of an identification of the securenetwork element and the second secure network element, according to thefirst communications protocol.
 3. The secure network element of claim 2,wherein the processor is further configured to change the firstcommunications protocol to the second communications protocol if anumber of failed data exchanges exceeds a threshold number.
 4. Thesecure network element of claim 1, wherein the communications module isfurther configured to: encrypt data sent to the second secure networkelement in accordance with a first encryption as part of the firstcommunications protocol, and encrypt data sent to the second securenetwork in accordance with a second encryption as part of the secondcommunications protocol.
 5. The secure network element of claim 1,wherein the first communications protocol includes wirelesscommunication according to a first frequency, and wherein the secondcommunications protocol includes wireless communication according to asecond frequency.
 6. The secure network element of claim 2, furthercomprising: a memory configured to store data received from the secondsecure network element as logged data, wherein the logged data includesa timestamp corresponding to each of the communication sessions and anindication of whether data was received from the second secure networkelement.
 7. The secure network element of claim 2, wherein the securenetwork element is coupled to a device, the secure network elementfurther comprising: a memory for storing an encrypted serial number ofthe device as the identification of the secure network element.
 8. In asecure network element, a method comprising: attempting to exchangelocation data with a second secure network element according to acommunication protocol; determining expected location data for thesecond secure network element; generating a data log based on thelocation data, the data log comprising: a plurality of timestampscorresponding to the communications protocol, and a plurality ofindications, for respective timestamps in the plurality of timestamps,regarding whether the data was received from the second secure networkelement; changing an encryption key in response to determining, based onthe location data log, that the location data from the second securenetwork element deviates from the expected location data; and changingthe communication protocol in response to determining thatcommunications have been lost between the secure network element and thesecond secure network element.
 9. The method of claim 8, furthercomprising: changing the communication protocol if the location datareceived from the second secure network element indicates that thesecond secure network element traveled outside a predetermined zone. 10.The method of claim 8, further comprising: sending a data flag to thesecond secure network element if the data log indicates that a totalnumber of instances the data was not received is above a thresholdnumber.
 11. The method of claim 8, further comprising: changing thecommunications protocol upon receipt of a data flag sent by the secondsecure network element.
 12. A method for dynamic network operation, themethod comprising: determining a communication partner of a securenetwork element that is within a communication range of the securenetwork element; determining expected location data for thecommunication partner; creating a data log based on location dataexchanged with the communication partner; changing an encryption key inresponse to determining, based or the data log, that the location datafrom the communication partner deviates from the expected location data;and changing a communication protocol in response to determining, basedon the data log, that communications have been lost between the securenetwork element and the communication partner.
 13. The method of claim12, further comprising: monitoring data flags received from thecommunication partner.
 14. The method of claim 12, further comprising:receiving a data flag from the communication partner; and determining atype of communication anomaly based on the data flag.
 15. The method ofclaim 12, further comprising: retrieving communication profile settingscorresponding to the data flag in response to determining that a dataflag was received from the communication partner.
 16. The method ofclaim 12, further comprising: setting a low priority data flag inresponse to determining that communications have been lost between thesecure network element and the communication partner; and setting a highpriority data flag in response to determining that the location datafrom the communication partner deviates from the expected location data.17. The method of claim 12, further comprising: determining whether anumber of communication errors received from the network partner exceedsa threshold number of errors in a reference network signature of thecommunication partner.
 18. The method of claim 12, further comprising:determining, based on a comparison between the data log and an expecteddata log, whether the communication partner has been compromised. 19.The method of claim 12, wherein the data log further comprises expectedlocation data for a plurality of communication partners, and wherein themethod further comprises: generating a reconstructed network of theplurality of communication partners based on the data log.
 20. Themethod of claim 19, further comprising: comparing the reconstructednetwork with reference network signatures of the plurality ofcommunication partners; and determining, based on comparing thereconstructed network with the reference network signatures, whether theplurality of communication partners comprises an anomalous communicationpartner.